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Abstract. Modeling time related aspects is important in many applications of 
verification methods. For precise results, it is necessary to interpret time as a 
dense domain, e.g. using timed automata as a formalism, even though the sys- 
tem's resulting infinite state space is challenging for verification methods. Fur- 
thermore, fully symbolic treatment of both timing related and non-timing related 
elements of the state space seems to offer an attractive approach to model check- 
ing timed systems with a large amount of non-determinism. This paper presents 
an SMT-based timed system extension to the 1C3 algorithm, a SAT-based novel, 
highly efficient, complete verification method for untimed systems. Handling of 
the infinite state spaces of timed system in the extended 1C3 algorithm is based 
on suitably adapting the well-known region abstraction for timed systems. Ad- 
ditionally, fe-induction, another symbolic verification method for discrete time 
systems, is extended in a similar fashion to support timed systems. Both new 
methods are evaluated and experimentally compared to a booleanization-based 
verification approach that uses the original discrete time IC3 algorithm. 

1 Introduction 

In many application areas of model checking, such as analysis of safety instrumented 
systems, modeling and analyzing in the presence of dense time constructions such as 
timers and delays is essential. Compared to finite state systems, such timed systems add 
an extra layer of challenge for model checking tools. In many cases, timed automata [1- 
3] are a convenient formalism for describing and model checking timed systems. There 
are many tools, Uppaal [4] to name just one, for timed automata and model checking al- 
gorithms for timed automata have been studied extensively during the last two decades, 
see e.g. [3] for an overview. Most state-of-the-art model checking systems for timed 
automata use the so-called region abstraction to make a finite state abstraction of the 
dense time clocks in the automata. These regions are then manipulated symbolically 
with difference bounded matrices or decision diagram structures (see e.g. [5]). 

In this paper our focus is on model checking of safety instrumented systems (see 
e.g. [6]). Such systems have features that are challenging for the classic timed automata 
based approach described above. First, safety instrumented systems do typically in- 
volve a substantial number of timing related issues. However, such systems are often 
not best described using automata-like control structures but with a sequential circuit- 
like control logic. This makes the use of timed automata rather inconvenient in model- 
ing. Second, such systems tend to have a relatively large amount of non-deterministic 



input signals which are computationally challenging for model checking tools based on 
explicit state representation of discrete components (i.e. control location and data). 

Hence, we are interested in developing model checking techniques that complement 
the automata based methods to address these issues. Instead of timed automata, we use 
a more generic symbolic system description formalism [7] which can be seen as an ex- 
tension of the classic symbolic transition systems [8] with dense time clock variables 
and constraints. In our previous work [7], we have experimented with (i) SMT-based 
bounded model checking (BMC) [9, 10], and (ii) BDD-based model checking based on 
booleanization of the region abstracted model. These methods were not totally satisfac- 
tory as (i) BMC can, in practice, only find bugs, not prove correctness of the system, and 
(ii) the BDD-based method does not seem to scale well to realistically sized models. 

In order to address the computational challenge to develop model checking tech- 
niques that can handle timing as well as a substantial amount of non-deterministic input 
signals and prove correctness, we turn to inductive techniques. The motivation here is 
the success of temporal induction [11, 12] and, especially, of the IC3 algorithm [13] 
in the verification of finite state hardware systems. Our approach is to employ SMT 
solvers instead of SAT solvers as the basic constraint solver technology and apply sym- 
bolic region abstraction to handle the dense time clocks in the models. We extend IC3 
to timed systems by using linear arithmetics instead of propositional logic and by lifting 
the concrete states found by the SMT solver to symbolic region level constraints that 
are further used in the subsequent steps to constrain the search. As a result we obtain a 
version of IC3 that does not exphcitly construct the symboUc region abstracted system 
but still can exclude whole regions of states at once. We also describe an SMT-based 
extension of the /c-induction algorithm to these kinds of timed systems. In addition, we 
develop optimizations that allow us to exclude more regions at a time in the SMT-based 
IC3 algorithm, and to use stronger "simple path" constraints in A;-induction. 

Our experimental results indicate that SMT-based IC3 can indeed prove much more 
properties and on much larger models than were possible with our earlier approaches 
or with SMT-based timed fc-induction. Furthermore, when comparing to the approach 
of using the original propositional IC3 on booleanized region abstracted model, we 
observe that using richer logics in the SMT framework makes the IC3 algorithm scale 
much better for timed systems. However, IC3 seems to perform worse than fc-induction 
(and thus BMC) in finding counter-examples to properties that do not hold. This is 
probably due to its backwards DFS search nature, and leads us to the conclusion of 
recommending the use of a portfolio approach combining SMT-based BMC and IC3 
when model checking these kinds of safety instrumented systems. 

2 Symbolic Timed Transition Systems and Regions 

We model timed systems with symbolic timed transition systems (STTS) [7], a generic 
formalism allowing modeling of arbitrary control logic structures, data manipulation, 
and non-deterministic external inputs. In a nutshell, STTSs can be seen as symbolic 
transition systems [8] extended with real-valued clocks and associated constraints. By 
using encoding techniques similar to those in [9, 10], timed automata (and networks of 
such) can be efficiently translated into STTS [7]. 



In the following, we use standard concepts of propositional and first-order logics. 
We assume typed (i.e., sorted) logics, and that formulas are interpreted modulo some 
background theories (in particular, Unear arithmetics over reals); see e.g. [14] and ref- 
erences therein. lfY = {yi, y;} is a set of variables and ^ formula over Y, then 
Y' = {y[, y[} is the set of corresponding similarly typed next-state variables and (j)' 
is obtained from (f> by replacing each variable yj with y'j. Similarly, if ^/i is a formula 

over Y U Y', then, for each i e N, the formula -0'*' is obtained by replacing t/j with yj*' 

and y'j with jyj*^^', of the same types. For example, if ip = (cj < Ci + 6) A x[, then 

^W = (c|' <cW+5W)AxP. 

An STTS (or simply a system) is a tuple {X, C, Init, Invar, T, R), where 

- X = {xi, Xn} is a finite set of finite domain state variables, 

- C = {ci, c„i} is a finite set of real-valued clock variables (or simply clocks), 

- Init is a formula over X describing the initial states of the system, 

- Invar is a formula over X UC specifying a state invariant (throughout the paper, 
we assume the state invariants to be convex, as defined later), 

- T is the transition relation formula over X U C U X' , and 

- R associates each clock c e C a reset condition formula r^ over X U C U X'. 

Like in timed automata context, we require that in all the formulas in the system the 
use of clock variables is restricted to atoms of the form c\>i n, where c e C is a clock 
variable, ixi g {<,<,=,>,>} and n € Z. Observe that, as in the timed automata 
context as well, one could use rational constants in systems and then scale them to 
integers in a behavior and property preserving way. A system is untimed if it does not 
have any clock variables. For the sake of readabihty only, we do not consider the so- 
called urgency constraints [7] in this paper. 

The semantics of an STTS is defined by its states and how they may evolve to 
others. A state is simply an interpretation over X U C. A state s is valid if it respects 
the state invariant, i.e. s \= Invar. A state s is an initial state if it is vaUd, s \= Init, and 
s(c) = for each clock c G C. Given a state s and 5 E M>o, we denote hy s + 5 the 
state where clocks have increased by S, i.e. (s -|- S){c) = s(c) + S for each clock c G C 
and (s + 5){x) — s{x) when x G X. A vaUd state s may evolve into a successor state 
u, denoted by s — > u, if u is also valid and either of the following holds: 

1. Discrete step: (i) the current and next state interpretations evaluate the transition 
relation to true, i.e. 7 |= T where 7(2/) = s{y) when j/ S X U C and 7(x') = u{x) 
when x' € X' , and (ii) each clock either resets or keeps its value: for each clock 
c e C, u{c) = if 7 1= Tc and u{c) = s{c) otherwise. 

2. Time elapse step: (i) some amount of time elapses: u = s -\- 5 for some 5 E M>o, 
and (ii) the state invariant is respected in the states in between: s + pis valid for all 
0< p<S. 

A path is a finite sequence soSi...si of states such that Sj — > Sj+i holds for each 
consecutive pair of states in the path. A state is reachable if there is a path from an 
initial state to that state. A property P is a formula over the state variables X and the 
clock variables C, adhering to the same restrictions on the use of clock variables as the 
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(a) A part of a timed safety instrumented system (b) Clock regions 

Fig. 1. Illustrations of safety instrumented systems and regions. 



system's formulas. In this paper we are interested in solving the problem whether the 
given state property P is an invariant, i.e. whether P holds in all the reachable states of 
the system. 

As in the contexts of timed automata and linear hybrid automata, we require the 
state invariants in STTSs to be convex. Formally, a state invariant is convex if for all 
states s and for all < 77 < 5 it holds that whenever a \= Invar and (s + 5) \= Invar, 
also {s + 7]) \= Invar. Thus, a state invariant caimot become false and then true again 
during a time-elapse step, making condition (ii) of time-elapse steps to always hold. 
Convexity is easy to test with one call to an SMT solver. 

Example 1. As an example, consider an STTS modeling the timer Td in the safety in- 
strumented system in Fig. 1(a). The STTS has the clock variable d which is reset when 
a discrete step makes the signal xi true, i.e. = (^xi A x'l), corresponding to the acti- 
vation of the timer. The output signal is initially false, i.e. Init contains the conjunct 
(-1X2). It changes to true when the signal xi does and then stays true for two seconds. 
These properties are captured by the conjunct (x'^ <^ {~^xi A x'^) V {x2 A (d < 2))) in 
the transition relation T. To force the timer output to be reset after two seconds. Invar 
contains the conjunct {x2 =^ {d <2)). 



Regions. A conceptual tool for handling the infinite state space of an STTS is the region 
abstraction [1]. For a non-negative real number a E M>o, let fract(a) be its fractional 
part, i.e. a = [a\ + fract(a) and < fract(a) < 1. Let vbc an interpretation over C 
(also called a clock valuation). Furthermore, let nic be the maximum (relevant) value 
of the clock c, i.e. the largest constant that c is compared to in Invar, T, R or P. Two 
clock valuations v and w belong to the same equivalence class called region, denoted 
by w w, if for all clocks c,d G C 

1. either (i) [v{c)\ = [w{c)\ or (ii) v{c) > rUc and w{c) > mc, 

2. if v{c) < rric, then fract(v(c)) = iff fract(w(c)) = 0; and 

3. if v{c) < rUc and v{d) < ma, then fract(v(c)) < fract(v(d)) iff fract(w(c)) < 
£ract(w(d)). 

Figure 1(b) illustrates the region abstraction for an STTS with two clocks, c and d, 
with nic = 3 and = 2. The thick black lines, thick black dots and the areas in 
between the thick black lines each represent a different region. The region in which 
[u(c)J = lv{d)\ = 1 andO < fract(v(c)) < fract(v(d)) is highlighted in gray. 



Two states, s and u, are in the same region, denoted by s ~ u, if they agree on 
the values of the state variables and are in the same region when restricted to clock 
variables. 

Due to the restrictions imposed on the use of clock variables, states in the same 
region are (i) indistinguishable for predicates, meaning that u \= Init iff s \= Init, 
u \= Invar iff s |= Invar, and u\= P iff s \= P whenever s ^ u, and (ii) forward 
bisimilar: if s — > s' and s ~ u, then there exists a u' such that u — > u' and s' u' . 

Formula Representation with Combined Steps. To simpUfy the exposition, to reduce 
amount of redundancy in paths, and to enable some optimizations, we introduce & for- 
mula representation for STTSs that exploits a well-known observation: for reachability 
checking, it is enough to consider paths where discrete steps and time elapse steps 
alternate, as two consecutive time elapse steps can be merged into one and zero du- 
ration time elapse steps can be added in between discrete steps. For a given STTS 
{X, C, Init, Invar, T, R), we define the following formulas: 

- Invar :— Invar A Acec ^ > 0. Now s |= Invar for a state s iff s is a vaUd state 
and all clock values are non-negative. 

- Init := Init A Acec c = c for a free real-valued variable c. Now s \= Init iff, 
forgetting the state validity requirements, s is a state reachable from an initial state 
with time elapse steps only. 

- f :=Ta5> OA Acgc(^c ^ c' = (5) A Acec("'^c c' = c ^). Thus, a state u 
is reachable from a state .s with one discrete step followed by one time elapse step 
iff TT 1= T for the valuation n on X U C U X' U C mapping each z € X U C to 
s{z) and each z' G X' [J C to u{z). 

3 A;-Induction for Timed Systems 

The A;-induction method [11,12] inductively proves a reachability property for a system 
or discovers a counter-example while trying to prove the property. In the following, we 
will extend fc-induction, which was originally proposed as a verification method for 
finite-state systems, to a complete verification method for STTS. 

As the base case of an inductive proof, fc-induction shows that no bad state can be 
reached within k steps starting from an initial state for some k G N. As the inductive 
step, fc-induction shows that it is impossible under the transition relation of the sys- 
tem to have a path consisting for k good (property-satisfying) states followed by a bad 
(property- violating) state. Together, base case and inductive step prove that the property 
holds in any reachable state. 

For an untimed system {X, 0. Init, Invar, T, 0), both the base case and inductive 
step can be proven using a SAT solver. The base case holds iff the formula Inif}'^^ A 
ALo Invar^"^ A Ai=o ^ Af=o -P'*' ^ is unsatisfiable. Likewise, the inductive 
step holds iff the formula A-=o Invar^^ A TI'I A A^to -P'*' ^ "'-P'*'' is unsatisfi- 
able. Initially, fc-induction attempts an inductive proof with fc = 0. If unsuccessful, k is 
increased until the inductive proof succeeds or a counter-example is found while check- 
ing the base case. Note that the large overlap both between the formulas for checking 



base case and inductive step and between the checks before and after increasing k can 
be exploited by incremental SAT solvers [12]. 

While correct, the described approach is not complete due to the fact that the induc- 
tion step is not guaranteed to hold even if the property checked is satisfied by the system, 
fc-induction can, however, be made complete for finite-state systems by only consider- 
ing simple (non-looping) paths when checking the inductive step. The most straight- 
forward way to enforce paths to be simple, is to add a quadratic number disequality 
constraints to the SAT formula, requiring any pair of states to be distinct. Experimental 
evidence, however, suggests that it is beneficial to only add disequality constraints for 
pairs of states for which it is observed that disequality constraints are needed [12]. 

k-induction for STTS. Both base case and inductive step formulas can be applied to an 
STTS {X, C, Init, Invar, T, R) simply by replacing Init, T and Invar in these formu- 
las by Init, T and Invar and using an SMT solver instead of a SAT solver However, 
unlike for untimed systems, termination is not even guaranteed when adding disequality 
constraints. For untimed systems, disequality constraints guarantee termination due to 
the fact that in a finite state system, there are no simple paths of infinite length and, thus, 
the simple path inductive step check is guaranteed to be unsatisfiable with sufficiently 
large k. Timed systems, in contrast, typically have no upper bound for the length of a 
simple path and, thus, disequality constraints are not sufficient for completeness. How- 
ever, the infinite state space of an STTS can be split into a finite number of regions. 
Thus, any reasoning made for finite state systems can be applied to regions of states. 
In particular. A; -induction is complete and correct when only paths that do not visit two 
states belonging to the same region are considered in the inductive step [15]. By enforc- 
ing this property on inductive step paths using region-disequality constraints, complete 
fc-induction can be performed using Init, T and Invar (almost) without modification. 

In order to specify that two states of an STTS belong to different regions, region- 
disequaUty constraints need to individually constrain the integer and fractional parts of 
clock values. As only some SMT-solvers, such as Yices [16], allow referring to integer 
and fractional parts of real-valued variables, we provide a region-disequahty constraint 
encoding that does not rely on such a feature.^ Instead, we spUt each clock variable c 
into two variables: Cint represents the integer and Cfract the fractional part of c's value. 
This "sphtting of clocks" requires rewriting of Init, T and Invar by replacing each 
atom involving a clock with a formula as follows: 



Atom 


Replacement, n G N 


Atom 


Replacement, ri G N 


c < n 


Cint < n 


c < n 


Cint < n V (Cint = n A Cfract = 0) 


c> n 


Cint > n V (Cint = n A Cfract > 0) 


c> n 


Cint > n 


c = n 


Cint = n A Cfract ~ 


c = c 


Cint — Cint A Cfract ~ Cfract 


c' = S 


Cint = <5int A Cfract = <5fract 




c' = c + 5 


((Cfract + <5fract < 1) => (cjnt = Cint + <5int A Cfract = Cfract + Cfract)) A 
((Cfract+fcact > 1) => (Cint = Cint-|-<5int + lAcJjact = Cfract + fcact — 1)) 



' In [17] we give an alternative encoding for region-disequality constraints in a BMC setting. 



Then, two states with indices i and j can be forced to be in different regions by the 
following region-disequaUty constraint DiffRegion^^'-'^: 

xex cec 

V V i-niax^^ A ^(cL, = ^ 4^Lt = 0)) 

V V V A ^max|j> A ^((41* < 4L) ^ (4ict < 
cecdec\{c} 

where the shorthand maxc^ := cj^j > rricV (cj^t = rric A Cfract > 0) detects whether 
the clock c exceeds its maximum relevant value nic. 

4 IC3 for Timed Systems 

In this section, we first describe the 1C3 algorithm [13] for untimed finite state systems 
(see also [18] for an alternative, complementary account of the algorithm). We then 
show how it can be extended for verifying timed systems by using region abstraction 
and SMT solvers. 

Like A:-induction, the IC3 algorithm tries to generate an inductive proof for a given 
state property P on an untimed system S = {X, 0, Init, Invar, T, 0). But unUke the 
unrolling-based approach used by /c -induction, proofs generated by the 1C3 algorithm 
only consists of a single formula Proof satisfying three properties: (a) Proof is satis- 
fied by any initial state of S, (b) Proof is satisfied by any successor of any state satisfy- 
ing Proof, and (c) Proof P. Properties (a) and (b) serve as base case and inductive 
step for showing that the set of states satisfying Proof is an over-approximation of the 
states reachable in S while property (c) proves that any reachable state satisfies P. 

In order to generate a proof, the IC3 algorithm builds a sequence of sets of formulas 
Fq . . .Fk satisfying certain properties. Eventually, one of these sets becomes the proof 
Proof. Each F-set represents the set of states satisfying all its formulas. The properties 
satisfied by the sequence are (i) Init A Invar Fq, (ii) Fi i^i+i, (iii) Fi P, and 
(iv) FiAlnvarATAlnvar' -Fj'+i. The basic strategy employed by the IC3 algorithm 
is to add clauses to the Fj-sets in a fashion that keeps properties (i) to (iv) intact until 
Fk A Invar AT A Invar' P' . In this situation, k can be increase by appending {P} to 
the sequence. The algorithm terminates once Fi = Fj+i for some i and provides Fj as 
a proof. Upon termination, properties (i) and (ii) imply proof-property (a), property (iv) 
and the termination condition Fi = Fi+i imply property (b) and property (iii) implies 
property (c). Note that, in practice, property (ii) is enforced by adding any formula 
added to a given F-set also to all F-sets with lower index, i.e. Fi C Fj_i 

After sketching the basic strategy, we will now take a closer look at the algorithm. 
Note, however, that the description given is only a simplified version of the algorithm 
that focuses on the aspects that are relevant with respect to extending it for STTS. 
Figure 2 shows the main loop of the IC3 algorithm. In each iteration, the algorithm 
first checks whether or not it is currently possible to extend the sequence of F-sets 
by appending P. Note that as appending P wiU never result in properties (i) to (iii) 



1: 
2: 
3: 
4: 
5: 
6: 
7: 
8: 
9: 
10: 
11: 
12: 



loop 



if Fk A Invar ATA 7n?;ar-' A -.P' is UNSAT then 



else 



k:=k + l 

add Ffc ^ {P} to sequence of F-sets 
propagateO 

if Pi = Pi+i for some i then 



s predecessor of a bad state extracted from the model 
success •<— blockState{s) 
if -isuccess then 



return true {Property holds} 



return false {Property violated} 



Fig. 2. The main loop of 1C3 



being violated, it is sufficient to check whether extending the sequence would violate 
property (iv). A corresponding SAT call can be found in Line 2 of Fig. 2. If the SAT 
call indicates that the sequence can safely extended, the sequence is extended in Lines 3 
and 4. In the next step, the F-set sequence, clauses may be propagated from F-sets to 
subsequent sets in the sequence. While this step is vital for termination, a more detailed 
description is omitted here for space limitations. After propagation, the algorithm's 
termination condition is checked in Line 6. 

Of course, the SAT check in Line 2 may as well indicate that the P-sequence may 
currently not be extended without violating property (iv). In this case, a state s that 
satisfies F). and has a bad successor can be extracted from the model returned by the 
SAT solver. As s prevents the sequence from being extended, the algorithm attempts to 
drop s from (the set of states represented by) F/. by adding a clause that implies -is^. 
The corresponding subroutine call, block State{s), may also need to add further clauses 
also to other P-sets than P^ in order to ensure that properties of the sequence remain 
satisfied. 

The blockState{s) subroutine, outlined in Figure 3, operates on a list of proof obli- 
gation, each being a pair of a state and an index. An obligation (s, i) indicates that it 
is necessary to drop s from Pj before the main loop of the algorithm can continue. Ini- 
tially, the only proof obligation is to drop the state provided as an argument from P^. 
For any proof obligation (s, i), the blockState subroutine in Line 6 checks whether or 
not s has a predecessor z in Pj-i. Such a predecessor prevents s from being excluded 
from Pj without violating property (iv). Thus, if a predecessor is found, the obligation 
(s, i) can not be fulfilled immediately and is added to the set of open obligations again 
in Line 8. Fiu-thermore, z has to be excluded from Ps_i before s can be excluded from 
Pj. This is reflected by the obligation {z, i — 1) also being added to the set of open 
obligations in Line 9. 

If the SAT call in Line 6 is unsatisfiable, then s has no predecessor in Pj_i and can 
safely be excluded from Pj without violating property (iv). The state s is excluded by 

^ In a sUght abuse of notation, we interpret a state s as formula Aygcux V — ^iv) where 



appropriate. 



1: 
2: 
3: 
4: 
5: 
6: 
7: 
8: 
9: 
10: 
11: 
12: 
13: 
14: 



Q •<— priority queue containing (s, k) 
while Q not empty do 



s,i <r- Q.popMinQ 



if i = tlien 

return false {Counter-example found} 



if A -.s A T A Invar A Invar' A s' is SAT then 
« predecessor of s extracted from the model 

Q.add{{s, i)) 
Q.aM{{z,i-l)) 



else 

Fi.add{generalize{-^s)) 
iti < k then 



Q.add{{s,i + 1)) 



return true 



Fig. 3. The blockState{s) sub-routine 



adding a generalization of the clause ->s to i^j. More precisely, the algorithm attempts 
to drop literals from -is in a way that preserves properties (i) and (iv) before adding the 
resulting clause to Fj. Without this generalization step, states would be excluded one at 
a time from the F-sets resulting in a method akin to explicit state model checking. 

So far, it has been assumed that P holds. If this is not the case, then the main 
loop will eventually pass a predecessor of a bad state reachable in S to blockState. In 
such a situation, blockState essentially performs a backwards depth-first search that 
eventually leads to an initial state of S, which is detected in Line 4. Note that it is 
straightforward to extract a counter-example from the proof obligations if it is detected 
that P does not hold. 

Note that, while sufficient for explain our extensions, only a simplified version of the 
IC3 algorithm has been described. Most notably, the complete version of the algorithm 
additionally aims to satisfy proof obligations for multiple successive F-sets at a time if 
possible and performs generalization based on unsatisfiable cores obtained from SAT 
calls in various locations. For a description of these techniques as well as complete 
arguments for correctness and completeness of the approach refer to [13, 18]. 

Extending ICS for timed systems. As was the case with fc-induction, the key to extend- 
ing the IC3 algorithm to timed systems is the region abstraction. Again, we will use an 
SMT-solver instead of a SAT-solver and the combined step encoding Init, Invar, and 
T on an STTS will replace Init, Invar and T. To operate on the region level, we lift 
each concrete state in a satisfying interpretation returned by the SMT solver into to the 
region level in the IC3 algorithm code whenever it is passed back to the SMT solver 
again. To do this, given a state ,s, we construct a conjunction s of atoms such that s 
represents all the states in the same region as s, i.e. for any state u it holds u ^ s iff 
u ~ s. Formally, s is the conjunction of the atoms given by the following rules: 

1. For each state variable x G X, add the atom {x = s{x)). 

2. For each clock c with s(c) > nic, add the atom (c > nic). 



3. For each clock c with s{c) < rric and fract(s(c)) = 0, add the atoms (c < s(c)) 
and (c > s(c)). Two atoms are added instead of (c = s(c)) so that the clause 
generalization sub-routine has more possibilities for relaxing -is. 

4. For each clock c with s{c) < rric and fract(s(c)) / 0, add the atoms (c > [s(c)J ) 
and (c < rs(c)]). 

5. For each pair c, d of distinct clocks with s(c) < mc, and s((i) < md, 

(a) if fract(s(c)) = fract(s(d)), add the atoms {d < c — [s(c)J + [s(c?)J) and 
{d>c- [.s(c)J + [s(rf)J),and 

(b) if fract(s(c)) < fract(s(d)), add the atom {d > c - [s(c)J + ls{d)\). 

What is especially convenient here is that, unlike in the region-disequahty constraints in 
fc-induction, there is no need to directly access the integral and fractional parts of clock 
variables in S because s considers one fixed region. Indeed, all the atoms concerning 
clock variables will fall in the difference logic fragment of hnear arithmetics over reals, 
having very efficient decision procedures available [19, 20]. 

We now let the IC3 algorithm operate as in the untimed case except the satisfiability 
calls are changed to operate on the region level. Especially, the formula in Line 6 of 
Fig. 3 is modified to A -is A T A Invar A Invar' A s' so that it operates on the 
region level, trying to find a predecessor state in the Fi_i-set for any state in the same 
region as s. Furthermore, in Line 1 1 the clause generahzation is called with the clause 
-■s that represents all the states that are in a different region than s; thus we exclude at 
least all states in the region of s from Fi. No major modifications are required in the 
clause generalization mechanisms but they can handle clock atoms in the same way the 
state variable Uterals are handled. 

Example 2. Consider the STTS for the system in Fig. 1(a) discussed in Ex. 1. For the 
state s = {xi n> false, X2 n- true, c n- 1.4, d L65, ...} we obtain the conjunction 
s = (-ixi A a;2 A (c> 1) A (c < 2) A (d > 1) A (d < 2) A (d > c) A ...) that represents 
all the states in the region of s. The clause that excludes the whole region of s is simply 
{xi V -^X2 V (c < 1) V (c > 2) V (d < 1) V (d > 2) V (rf < c) V ...). 

The soundness of the timed IC3 algorithm can be argued as follows. We say that 
a formula over X U C respects regions if for all states s and u, s ^ u implies 
that 1= s iff 1= «. By construction, a state property P as well as s and -is for any 
state s all respect regions. Furthermore, any sub-clause of -^s returned by the clause 
generahzation sub-routine also respects regions. As a result all the clauses in the F- 
sets respect regions and thus the F-sets exclude whole regions only. Furthermore, the 
modified formula Fi^i A -^s AT A Invar A Invar' A s' in Line 6 of Fig. 3 is unsatisfiable 
iff no state in the same region as s can be reached from the i^i_i-set; thus excluding the 
whole region in Line 11 is correct. 

Because the number of regions is finite, only a finite number of clauses can be added 
to any F-set. As a result, the argument for termination given in [18] can be applied to 
the timed IC3 algorithm as well. 

5 Optimizations by Excluding IMultiple Regions 

We now describe optimizations for timed IC3 and fc-induction that sometimes al- 



low us to exclude more regions at once during the 
clause generalization and in the region-disequality 
constraints, respectively. They both exclude time- 
predecessor regions of a region, i.e. regions from 
whose states one can reach the other region by just 
letting time pass. As an example, all the light regions 
and the dark gray region (with c = 3 and d > 2) in 
Fig. 4 are time-predecessors of the dark gray region. 
Formally, we define that a clock valuation t« is in a "^^Sio" 
time-predecessor region of the clock valuation v, denoted hy w v 
c,d G C all the following hold: 




Fig. 4: A time-predecessor clock 



if for all clocks 



1. 



and w{c) < v{c), or (iii) fract(v(c)) > 



- lv{c)\ + lv{d)\,and 
[v{c)] + [v{d)\ and w{d) < 



Either (i) v{c) > rUc, (ii) fract(v(c)) 
and w{c) < [w(c)]. 

2. If v(c) < rric and v{d) < rrid, then 

(i) fract(v(c)) = fract(v(d)) implies w{d) = w{c) 

(ii) fract(v(c)) < fract(v(d)) implies > w(c)- 
w{c) - lv{c)\ + lv{d)\ + 1. 

3. If v{c) < iric and v{d) > rrid, then 

(i) fract(v(c)) = implies w{d) > w(c) — [u(c)J + nid, and 

(ii) fract(v(c)) > implies u!{d) > w(c) — [u(c)J + — 1. 

Observe that ;^ is a reflexive relation. A state u is in a time-predecessor region of an- 
other state s, denoted by u ^ s, if they agree on the values of the state variables and, 
when restricted to the clock variables, w is in a time-predecessor region of s. 



Application to ICS. The timed variant of the IC3 algorithm described in a previous 

section excludes an entire region from an F-set once a state inside that region (and thus 
the whole region) has been found to be unreachable from the previous F-set. In this 
section, we will argue that it is actually possible to exclude all the time-predecessor 
regions at the same time. By excluding more than one region, the F-sets potentially 
shrink faster which can lead to improved execution times. This optimization to the IC3 
algorithm is based on the following lemma: 

Lemma 1. Let s be a valid state. If none of the states in the region of s can be reached 
from an initial state with one time elapse step followed by n combined steps, then none 
of the valid states in the time-predecessor regions of s can, either. 

Proof Assume that a valid state p ;^ s is reachable in that way. Thus, (i) p satisfies 
Invar, (ii) there is a (5 e IR>o such that p + 5 ^ s ?& p ^ ,s, (iii) p + 5 satisfies Invar 
as s does, and (iv) all the states "in between" p and s (i.e. all the states p + 5' with 
< ^' < ^) satisfy the convex Invar, too. Therefore, p-\- Sis reachable from an initial 
state with one time elapse step followed by n combined steps by just "extending" the 
last time elapse step by 5 units. This gives a contradiction as p + (5 ^ s. □ 

Any state considered by the 1C3 algorithm is extracted from a model of a SMT 
formula containing the system's state invariant as a conjunct and hence satisfies the in- 
variant. In addition, the Init and T formulas used in timed IC3 capture initial states fol- 
lowed by one time elapse step and combined steps, respectively. Thus, Lemma 1 is ap- 
plicable to any state found unreachable by the IC3 algorithm and justifies the dropping 



of all the time-predecessor regions at the same time. Given a state s, we can construct 
a conjunction of atoms such that represents all the states in the time-predecessor 
regions of s. Formally, s-< is obtained by instantiating the definition of ^ for a concrete 
state s and is the conjunction of the atoms given by the following rules: 

1. For each state variable x E X, add the atom {x ~ s{x)). 

2. For each clock c with s(c) < nic and fract(s(c)) = 0, add the atom (c < s(c)). 

3. For each clock c with s(c) < rric and fract(s(c)) ^ 0, add the atom (c < [s(c)]). 

4. For each pair c, d of distinct clocks with s(c) < nic and s{d) < rud, 

(a) if fract(s(c)) = fract(s(d)), add the atoms (d < c — [s(c)J + [s((i)J) and 
{d> c — [s(c)J -H [_s{d)\ ), again using two Uterals to encode equality for ad- 
ditional clause relaxation possibilities, and 

(b) if fract(s(c)) < fract(s(d)), add the atoms {d > c - [s(c)J -|- Ls(<^)J) and 
{d<c - [s{c)\ + [s{d)\+l). 

5. For each pair c, d of distinct clocks with s(c) < and s{d) > rUd, 

(a) if fract(s(c)) = 0, add the atom (d > c — [.s'(c)J + irid); and 

(b) if fract(s(c)) > 0, add the atom (d > c - [s(c)J + rn^ - 1). 

Now 5^ and -is^ can be used instead of s and -is in SMT calls and as argument for 
clause generalization. Observe that is also in the difference logic fraction of linear 
arithmetics and does not need to refer to integral or fractional parts of clocks. 

Example 3. Consider again the STTS for the system in Fig. 1(a) discussed in Ex. 1. For 
the state s = {x\ ^ false, X2 ^ true, c ^ 3.0, d i-> 2.7, ...} in the dark gray clock 
region in Fig. 4, we get the conjunction s = {-'Xi A 0:2 A (c < 3) A (d > c — 1) A ...) 
representing all the states in the time-predecessor regions. 

Application to fe-induction. The idea of excluding time-predecessor regions can also 
be applied to fc-induction. This is based on the following lemma, stating that a path of 

combined steps can be compressed into a shorter region-equivalent one if a state in it is 
in the time-predecessor region of a later state: 

Lemma 2. Let sqs^si . • ■ s'^_iSi-is'jsi . . . s^Sj • • . be a path such that (i) sq is an 
initial state, (ii) sj ;^ s^, (Hi) each step between s; and s^_|_j is a time elapse step, and 
(iv) each step between sf and si is a discrete step. Then sqSiSi . . . sj_iSi--iujuj ■ ■ - u^ 
with for all j <l <k and Uj sj for all j < I < k is also a path. 

Proof. As sj ;^ and the state invariants are convex, the time elapse step from Si-i 
to sj can be "extended" so that a state sj + S^ sj is reached instead. Letting uj equal 
sj + 6, the existence of the requested postfix UjUj...uj. of the path follows from the 
forward bisimilarity of the states in the same region. □ 

Now this implies that in timed fc-induction we can use, instead of the region-disequaUty 
formula Diff Region}-^ a stronger formula DiffRegion)-^''^ excluding the state s'*! from 

being in a time -predecessor region of the state s^^l when i < j. We omit the details but 
this formula can be obtained from the definition of the ^ relation in a similar way as 
the DiffRegion^^'-'^ formula was obtained from the definition of in Sect. 3. 



Table 1. Verification times in seconds for industrial benchmarks. Blank cells indicate that the respective property can not be 

verified on the respective size model. 
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yes 
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yes 
yes 
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0.55 
0.55 
0.57 
0.54 
0.68 
0.57 
0.57 

timeout 
0.62 

timeout 
0.53 

timeout 

timeout 
0.57 
0.56 



0.55 
0.51 
0.56 
0.57 
0.55 
0.58 
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timeout 
0.56 

timeout 
0.54 

timeout 

timeout 
0.57 
0.59 



TH U "OS 



0.5 
0.47 
0.49 
0.48 

0.62 
0.6 
0.51 

2JT 

0.7 
2.36 
0.62 
2.21 
2.24 
0.63 
0.85 



0.53 
0.5 
0.49 
0.58 
0.54 
0.5 
0.55 

224 
0.65 
2.15 
0.65 
2.11 
2.17 
0.65 
0.66 
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181.95 
timeout 
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timeout 

191.81 
timeout 
timeout 

timeout 
194.25 
165.16 
169.91 
timeout 
timeout 
170.87 
81.07 
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0.32 0.33 
0.3 0.32 
0.32 0.33 
0.33 0.34 
0.32 0.31 
0.34 0.33 

0.3 10.29 
0.32 0.31 
0.31 0.32 
0.33 0.35 
0.32 0.31 
0.32 0.31 
0.32 0.36 



0.42 
0.33 
0.36 
0.35 
0.3 
0.37 

035 
0.29 
0.41 
0.41 
0.34 
0.46 
0.42 



0.29 

0.34 
0.36 
0.34 
0.31 
0.38 

033" 
0.27 
0.31 
0.32 

0.33 
0.35 
0.33 
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16.43 
timeout 
timeout 
timeout 
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timeout 
4.47 
17.07 
17.53 
timeout 
timeout 
17.8 
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0.21 
0.21 
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0.21 
0.21 
0.21 



0.2 

0.23 
0.23 



0.29 
0.23 
0.23 



0.33 
0.29 
0.21 



6 Experiments 

To determine the usefulness of the described methods, they were evaluated experimen- 
tally. Specifically, we were interested in the following questions: how do the methods 
perform and scale (i) in the area they were designed for, i.e. timed systems with a large 
amount of non-determinism; (ii) compared to each other; (iii) compared to using dis- 
crete time verification methods in a semantics-preserving way; and (iv) outside the area 
they were designed for, i.e. on models with a low amount of non-determinism? 

Setup. Timed fc-induction and the timed IC3 algorithm were implemented in Python, 
each supporting both region encoding variants. Using a more efficient programming 
language like C is likely to yield only moderate execution time improvements due to 
a significant fraction of the time being spent by the SMT solver As an SMT-solver, 
Yices [16] version 1.0.31 was used. All experiments were executed on Linux computers 
with AMD Opteron 2435 CPUs limited to one hour of CPU time and 2 GB of RAM. 

Industrial benchmark. The first benchmark used is a model of an emergency diesel 
generator intended for the use in a nuclear power plant. The full model and two sub- 
models, which are sufficient for the verification some of the properties, were used. The 
numbers of clocks and state variables are 24 and 130 for the full model, 7 and 64 
for the first and 6 and 36 for the second sub-model. The industrial model has been 
studied previously and found very challenging. Only some partial results [21] have 
been obtained using the model checker NuSMV [22] by abstracting model based on 
its component structure and then using a discrete time version of the model. Efforts to 
verify the abstracted model using the real time model checker Uppaal [4] were even 
less successful [21]. Likewise, a booleanization-based attempt to verify the smallest 
sub-model was unable to verify all properties [7]. 
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Fig. 5. Time required to verify by numbers of properties for randomly generated properties 



All four variants of the methods introduced in this paper were applied to the in- 
dustrial model. Additionally, the original IC3 implementation [13] in combination with 
a semantics-preserving booleanization approach [7] was used. Table 1 shows the re- 
sulting execution times, fc-induction did not exceed three seconds for any property. The 
timed ICB-approaches performed similarly for most properties but timed out four times. 
Both real-time verification methods performed significantly better than the booleaniza- 
tion / IC3 combination, illustrating that development of specialized real time verifica- 
tion methods is worthwhile. 



Random properties. While the industrial benchmark showed that the methods work 
well in the area they were designed for, execution times were generally too low to com- 
pare the different methods and variants. Therefore, 10000 additional random properties 
were generated each for the full model and the medium size sub-model, each prop- 
erty being a three literal clause using state variables and / or clocks. Figure 5 shows 
the resulting execution times. Note that all methods timed out for one property on the 
medium size model, which then could not be considered in the plots due to not being 
known whether it holds. For violated random properties, /c -induction performed very 
well, due to its bounded model checking component. For properties that hold, in con- 
trast, timed 1C3 performed significantly better. Executing both methods (or timed IC3 
and bounded model checking) in parallel could combine their strengths. 

Using time-predecessor regions made no difference for fc-induction. For the timed 
1C3 algorithm, their effect depended on the size of the model used. A performance 
increase was observed for the medium size model, contrasting a performance decrease 
for the large model. A Ukely explanation for this behavior is the large number of clocks 
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Fig. 6. Verification time the Fischer protocol (min, max and median of 1 1 executions) 



used in the large model. While the time-predecessor region encoding uses fewer literals 
referring to a single clock than the original region encoding, it contains more literals 
comparing two clocks. Thus, the size of clauses grows quicker in the number of clocks 
used for time-predecessor regions, which eventually outweighs the gain of excluding 
more states at once. 

Fischer protocol. As a third benchmark, the Fischer mutual exclusion protocol, a stan- 
dard benchmark for timed verification, was used. In addition to the five methods used 
for the industrial method, Uppaai [4] version 4.0.11, a model checker for networks 
of timed automata, was used. Unlike the industrial benchmark, the Fischer protocol is 
fairly deterministic and, thus, could be expected to favor Uppaai over the fully-symbolic 
methods. Figure 6 shows the execution times for verifying the Fischer property with a 
varying number of processes. While timed IC3 was, unsurprisingly, significantly slower 
than Uppaai, it scaled similarly, i.e. the runtime increased at a similar rate, fc-induction 
timed out at three processes already while the booleanization-based approach showed 
exponential runtime growth and timed out at five processes. 

7 Conclusion 

This paper introduces two verification methods for symbolic timed transition systems: a 
timed variant of the IC3 algorithm and an adapted version of fc-induction. Furthermore, 
a potential optimization to both methods is devised. 

Both methods were able to verify properties on an industrial model verification of 
which had been found in previous attempts intractable and outperformed a booleanization- 
based approach significantly. Random properties on the same model revealed that the 
timed IC3 variant performs better for satisfied properties while timed A; -induction per- 
forms better on violated properties. The experiments suggest that executing timed IC3 
in parallel with bounded model checking would yield excellent performance for the 
verification of large, non-deterministic real-time systems. 

Additionally, the proposed methods were evaluated on another family of bench- 
mark, the Fischer mutual exclusion protocol with a varying number of processes. This 
family has only a small amount of non-determinism and the runtime of the methods 
was higher than that of the timed automata model checker Uppaai. However, the timed 
IC3 algorithm was found to have similar good scaling as Uppaai. 
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